Privacy Policy

As of: 23 April 2026

1 Controller

The controller responsible for data processing on this website and within the scope of our services in accordance with the General Data Protection Regulation (GDPR) is:


Alp Ami Hospitality GmbH

Finkenstraße 22

82166 Gräfelfing

Germany


E-mail: datenschutz@alp-ami.com


The controller alone or jointly with others determines the purposes and means of processing personal data (e.g. names, contact details, etc.).


For data protection enquiries, you can reach us at any time at datenschutz@alp-ami.com.

2 Your Rights as a Data Subject

You have the following rights with regard to your personal data processed by ALPAMI:


  • Right of access  (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability  (Art. 20 GDPR)
  • Right to object to processing (Art. 21 GDPR)
  • Right to withdraw consent (Art. 7 (3) GDPR) with effect for the future
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)


An informal notification by e-mail to datenschutz@alp-ami.com is sufficient to assert these rights. The lawfulness of data processing carried out on the basis of consent until withdrawal remains unaffected by the withdrawal.

3 Competent Supervisory Authority

The supervisory authority responsible for ALPAMI is:


Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Promenade 18

91522 Ansbach

Germany


A list of all supervisory authorities can be found at:

https://www.bfdi.bund.de/DE/Service/Anschriften/anschriften_table.html

4 Data Processing in the Context of Accommodation

4.1 Booking and Contract Processing


When you make a booking with ALPAMI, we process the following data:


  • First and last name of the main Guest
  • E-mail address
  • Telephone number
  • Billing address
  • Payment data (credit card details, PayPal ID, etc.)
  • Booking period, room preferences, number of Guests
  • If applicable, identification data for identity verification (identity card or passport)
  • Data to fulfil the registration obligation under the German Federal Registration Act (BMG)


For the management of our bookings, Guest data, and room occupancy, we use the property management system (PMS) of apaleo GmbH, Heßstraße 82, 80797 Munich, Germany. apaleo acts as our data processor pursuant to Art. 28 GDPR. Data processing takes place within the EU on the basis of a corresponding data processing agreement. Further information: https://apaleo.com/privacy.


Legal basis: Art. 6 (1) lit. b GDPR (performance of contract) and Art. 6 (1) lit. c GDPR (legal obligation, in particular under the BMG and tax law provisions).


Storage period: The data is stored for the duration of the contractual relationship and within the scope of the statutory retention periods (in particular Sections 147 of the German Fiscal Code (AO) and 257 of the German Commercial Code (HGB): 6–10 years). Registration forms are retained for one year in accordance with Section 30 BMG.


4.2 Identity Verification


To verify identity, we are entitled to inspect a valid identification document and credit card data at check-in. Permanent storage of identification data only takes place within the legally permissible framework.


Legal basis: Art. 6 (1) lit. b and lit. f GDPR (performance of contract and legitimate interest in preventing misuse and fraud).


4.3 Communication During the Stay


With your consent, we will send you messages about your booking via your preferred communication channel (e-mail, WhatsApp, SMS, etc.).


Note on WhatsApp: When using WhatsApp, data is transmitted to Meta Platforms Ireland Ltd. Meta may process metadata (e.g. telephone number, usage times). Transmission to third countries (USA) cannot be ruled out. The legal basis is your consent (Art. 6 (1) lit. a GDPR), which you can withdraw at any time.


4.4 Payment Processing


To process payments, we cooperate with the following payment service providers:


Credit card (Visa, MasterCard) — via Adyen

PayPal — PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg

Sofortüberweisung (SOFORT) — Klarna Bank AB, Sveavägen 46, 111 34 Stockholm, Sweden


These providers process your payment data as independent controllers. Their privacy policies can be viewed on the respective websites.


Legal basis: Art. 6 (1) lit. b GDPR (performance of contract).


4.5 Pandemic-Related Evidence


In the event of a pandemic, we may request evidence (vaccination, test, or recovery certificates) in accordance with the applicable official requirements. This data is processed exclusively to fulfil legal requirements and will be deleted immediately once the purpose ceases to apply.


Legal basis: Art. 6 (1) lit. c GDPR in conjunction with Art. 9 (2) lit. i GDPR (health data on the basis of public health regulations).

5 Data Processing on the Website

5.1 SSL/TLS Encryption


For security reasons and to protect the transmission of confidential content, our website uses SSL or TLS encryption. You can recognise an encrypted connection by the "https://" address line and the lock symbol in your browser.


5.2 Server Log Files


The provider of this website automatically collects and stores information in so-called server log files, which your browser automatically transmits:


  • Page visited on our domain
  • Date and time of the server request
  • Browser type and version
  • Operating system used
  • Referrer URL
  • Hostname of the accessing computer
  • IP address


This data is not merged with other data sources. The storage takes place to ensure IT security and the stability of the website.


Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in the secure operation of the website).


Storage period: 7 days, then automatic deletion or anonymisation.


5.3 Contact Form


Data transmitted via our contact form, including your contact details, will be stored in order to process your enquiry and to be available for any follow-up questions. This data will not be passed on without your consent.


Legal basis: Art. 6 (1) lit. a GDPR (consent) or Art. 6 (1) lit. b GDPR (initiation of a contractual relationship).


Storage period: The data remains with us until you request its deletion, withdraw your consent, or until the purpose of the storage no longer applies. Mandatory statutory provisions — in particular retention periods — remain unaffected.


5.4 Newsletter


To send our newsletter, we require your e-mail address and your first name. Further information is voluntary. The data will be used exclusively for sending the newsletter and creating your Guest profile.


Legal basis: Art. 6 (1) lit. a GDPR (consent). Registration is carried out using the double opt-in procedure.


You can withdraw your consent at any time, for example by clicking on the "Unsubscribe" link in any newsletter e-mail. After unsubscribing, the data collected exclusively for sending the newsletter will be deleted.

6 Cookies and Tracking Technologies

6.1 General Information


Our website uses cookies. These are small text files that your web browser stores on your end device. We distinguish between:


  • Technically necessary cookies, which are absolutely required for the operation of the website (legal basis: Art. 6 (1) lit. f GDPR in conjunction with Section 25 (2) No. 2 TDDDG).
  • Non-essential cookies (e.g. for analysis or marketing purposes), which are only set with your express consent (legal basis: Section 25 (1) TDDDG in conjunction with Art. 6 (1) lit. a GDPR).


You can monitor, restrict, or prevent the use of cookies in your browser. Disabling cookies may result in limited functionality of our website.


6.2 Consent Management


When you first visit our website, you will be given the opportunity, via our consent management tool, to consent to or reject the use of non-essential cookies. You can adjust your settings at any time via the "Cookie Settings" link in the footer of our website.


6.3 Google Analytics


Provided that you have given your consent, our website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics uses cookies that enable an analysis of the use of the website. The information generated by cookies about your use of this website is generally transmitted to a Google server in the USA and stored there.


IP anonymisation: We use Google Analytics with activated IP anonymisation. Your IP address will be shortened within the EU or the EEA before being transmitted to Google.


Third-country transfer: A transfer to the USA takes place on the basis of the EU-US Data Privacy Framework (DPF). Google LLC is certified under the DPF (https://www.dataprivacyframework.gov/). In addition, we have concluded a data processing agreement with Google in accordance with Art. 28 GDPR as well as EU Standard Contractual Clauses.


Legal basis: Art. 6 (1) lit. a GDPR in conjunction with Section 25 (1) TDDDG (consent).


Withdrawal: You can withdraw your consent at any time via the cookie settings. Alternatively, you can use Google's browser add-on: https://tools.google.com/dlpage/gaoptout.


Storage period: The data sent by us and linked to cookies is automatically deleted after 14 months.


Further information: https://policies.google.com/privacy.


6.4 Fonts


Our website uses fonts that are hosted locally on our own servers. When our website is accessed, no connection to external servers (e.g. Google Fonts) is established and no transmission of your IP address or other personal data to third parties takes place.

7 Recipients of Data and Data Processing

We only pass on your personal data if this is legally permissible or necessary for the performance of the contract. Typical recipients are:


  • apaleo GmbH (property management system) — see Section 4.1
  • Payment service providers (see Section 4.4)
  • IT service providers, hosting providers
  • Tax advisors, auditors, and lawyers within the legally permissible framework
  • Registration authorities (under the German Federal Registration Act)
  • Tax authorities (under the German Fiscal Code)


We have concluded contracts with data processors in accordance with Art. 28 GDPR.

8 Data Transfer to Third Countries

If data is transferred to countries outside the EU/EEA (in particular the USA), this only takes place if:


  • an adequacy decision by the EU Commission exists (e.g. EU-US Data Privacy Framework), or
  • EU Standard Contractual Clauses (SCCs) have been concluded, or
  • your express consent is given (Art. 49 (1) lit. a GDPR).

9 Automated Decision-Making

Automated decision-making, including profiling within the meaning of Art. 22 GDPR, does not take place at ALPAMI.

10 Changes to this Privacy Policy

We reserve the right to amend this privacy policy in order to adapt it to changed legal situations or in the event of changes to our services. The current version is available on our website.